Phishing attacks typically cast a wide net to try and snag a few targets through the mass distribution of fraudulent emails. Even as these attacks become increasingly common, some malicious actors are looking to get their hooks into even bigger fish.
Law enforcement officials and information security experts have noted a steady increase in “whaling” attacks aimed at senior executives, managers and other key individuals in IT, accounting and finance. These attacks require more effort than phishing attacks, but they offer the potential for a much bigger catch — direct access to a company’s information and financial assets.
Whaling is a highly targeted variation of phishing in which criminals spend significant time, money and effort studying a company’s management structure. Their objective is to go after those who command “big fish” status within an organization because of their influence, authority and access privileges. According to the FBI, such attacks cost businesses billions of dollars each year.
Taking a Deep Dive
Whaling attacks tend to be carefully crafted and highly personalized, with none of the spelling and grammar mistakes common in generic phishing scams. Whaling emails are often designed by professionals who use names, job titles, company logos, phone numbers and other details that make the communications look as legitimate as possible.
Executives aren’t just attractive targets — they are often easy targets as well. Many do not participate in regular security awareness training due to their busy schedules, and they often sidestep company security controls in the name of convenience. The use of social media to develop business contacts also creates vulnerabilities. These sites can be a goldmine of personal information that criminals can use to make whaling emails seem more legitimate.
Armed with personal information, scammers can assume the identity of the executive to trick employees into giving up information or money. They exploit the fact that few employees will question a directive from company executives. There have been several cases where hackers spoofed or hijacked the CEO’s email and tricked employees into forwarding account information or wiring funds to a fake account.
Using AI Lures
Scammers are also leveraging artificial intelligence (AI) technologies to execute attacks. AI makes it easier to rapidly find and collect a wealth of online information about potential victims, including personal information, contacts and favorite sites. Using natural language processing and text analysis tools, they can then mimic the look, feel and writing style of these resources in order to automatically generate emails that are likely to trick victims.
Analysts also warn that criminals are using AI to create convincing chatbots or deepfake videos to masquerade as executives. In one such attack, criminals used AI software to mimic the voice of an energy company CEO and trick an employee into transferring nearly $250,000 into a secret account.
Education is always the first line of defense against phishing and whaling attacks. If executives balk, IT should advise them of the extreme risk to the company if they don’t follow cybersecurity best practices. Executives should be required to complete training exercises, and help develop protocols for verifying unusual or suspicious email requests either by phone or in person.
Education and prevention are essential elements of Verteks’ cybersecurity practice. We can set up training programs that accommodate executives’ busy schedules using a variety of interactive modules, videos, games and newsletters. We’ll also conduct post-training evaluations to assess the effectiveness of awareness programs. Call us to learn more about keeping your top execs from being reeled in by whaling attacks.